The address resolution protocol (ARP) is a widely known process by which devices obtain necessary address information for transmitting data packets over computer networks. FIG. 1 shows a simplified view of a computer network 100. The computer network 100 can include a number of different subnets. For example, FIG. 1 shows a subnet 128 which includes layer 2 network devices 102-112. Additionally hosts such as end user computer would be coupled to ports of the layer 2 network devices, additional network devices could also be coupled to ports of the network devices 102-112. A second subnet 130 is shown which includes layer 2 network devices 116-124. Similarly additional hosts or network devices could be coupled to ports of devices 116-124. As is known in the art, layer 2 network devices can include different types of devices for example, switches, hubs and bridges.
A host device on the subnet can communicate with other hosts by transmitting data packets to the host that they desire to communicate with. These data packets will include a number of pieces of information that are used to ensure that the data packet is received by the destination host. Each host device on the subnet has a MAC address. The MAC address is unique for each host, and is usually determined by the network interface card for the host device, as is widely known. Further, as is also widely known each host will generally be assigned an IP address when the host is coupled to the subnet. The assigning of an IP to a host can be done in a number of different ways. One very common technique is to use the Dynamic Host Configuration Protocol (DHCP), which provides for transmitting a data packet to a host when the host is initially coupled to the subnet, and this data packet will provide the host with its IP address.
When a source host on a subnet generates a data packet to be transmitted to a destination host on the subnet, the generated data packet should include a number of elements including the MAC address and IP address for the source host, and the MAC address and the IP address for the destination host. It is sometimes the case that the source host will have the IP address for the destination host, but not the destination MAC address. In this situation the source host will generate an ARP request. The ARP request is transmitted from a host, to a switch, and the switch will broadcast the ARP request across the subnet. FIG. 2a shows a view 200 of information from a switch of a subnet when an ARP request is sent out. At 202 the information shows that packet (pkt) 91 was broadcast. The ARP request is shown at 204. The source hardware address (MAC address) for the host generating the ARP request is shown as 08:00:46:2A:AB:BE. The source protocol address (IP address for the source host) is 192.168.1.152. The ARP request shows the destination protocol address (IP address for the destination) is 192.168.1.254.
FIG. 2b shows the response to the ARP request. As is known in the art the response to an ARP request is generated by the host device having the IP address which is identified in the ARP request. The ARP reply is sent to the device identified by the source MAC address and the source IP address in the ARP request. At 206 the reply is shown as packet 92 which a source address of 00:50:18:03:D5:30. The reply is directed to the destination 08:00:46:2A:AB:BE (the MAC address for the source of the ARP request) as opposed to being broadcast.
Area 208 shows specific contents of the ARP reply. The source of ARP reply has source hardware address (MAC address) of 00:50:18:03:D5:30, and a source protocol address (IP address) 192.168.1.254. The destination MAC address and IP address are shown as being the addresses for the host which generated the ARP request.
Layer 2 network devices on the subnet operate to route data packets based on the MAC addresses contained in the data packets generated by the hosts on the subset. The IP addresses for the different hosts are utilized when the switches, or other layer 2, devices on the subnet recognizes that the MAC address is not coupled to the particular subnet. Once it has been determined that the MAC address of the destination host is not in the subnet, then the datapacket is switched through ports of the layer 2 network devices such that the datapacket is transmitted to the layer 3 router 126. The router 126 operates to route received data packets based on the IP address contained in the data packet, and the router 126 does not utilize the MAC address of the host which originally generated the data packet. For example, if a host device coupled to switch 102 of the first subnet were to transmit a data packet identifying a destination host which was coupled to the switch 116 of the second subnet, the data packet would be transmitted to the port of the router which was coupled to the first subnet, and based on the IP address of the destination host contained in the data packet the router would make the determination that the data packet should be transmitted to the second subnet 130 through a port of the router 126 which is coupled to the second subnet. As is known in the art a router can also operate to transmit datapackets, as IP datagrams over the Internet according to the TCP/IP protocol, and possibly other similar protocols.
ARP spoofing occurs in situations where an attacker poisons the ARP cache of the victim host, typically a personal computer (PC), by spoofing the MAC/IP pair of the ARP reply. For example, an attacker host could respond to an ARP request, which is broadcast on the subnet, as if the attacker host were the host which is assigned the IP address which is being queried in the ARP request. In response to the ARP request, the attacking host will generate a spoofed ARP reply in which the attacking host provides its MAC address and the IP address which was contained in the ARP request. This ARP response with the spoofed information, when received, will cause the host which generated the ARP request, to operate using the MAC address of the attacking host instead of the MAC address for the host which is actually assigned the IP address that was contained in the original ARP request.
A goal in an ARP spoofing attack is for the attacking host's forged, or spoofed, ARP reply (spoofed in the sense that the ARP reply shows an improper pairing of a MAC address and an IP address) to trick a target computer into caching the forged ARP entry, meaning that the target host will store the MAC address for the attacking host and use this MAC address in place of the MAC address for the actual desired destination host. When the ARP spoofing attack is successful the target will send data packets to the attacking host, and the target will have no idea that data packets have been redirected to the attacking host.
ARP spoofing can allow an intruder's computer to perform a man-in-the-middle (MIM) attack between hosts on a particular subnet and a gateway router port, and to perform session hijacking attacks. Using ARP spoofing, the attacker's host tricks the victim, or target, hosts into thinking that the attacking host is the gateway address through an ARP and MAC Address Spoof, as described above. The attacking host can then collect the data packet traffic and sniff the data packets (e.g. the attacking host can analyze and save information from the transmitted data packets). The attacking host can then route the traffic back to the gateway address.
Another way of sniffing on a switched network is through a concept called MAC flooding. The attacking host sends spoofed ARP replies to a switch on the subnet at a very high rate and overflows a MAC address table in the switch. This attack attempts to put the switch into broadcast/hub mode when their MAC tables are overflowed, which allows the data packet traffic to be sniffed. A variation of the MAC flood attack is to flood the network with spoofed ARP replies setting the MAC address table of a network gateway to the broadcast addresses, all external-bound data will be broadcast. This also enables sniffing on a switch.
ARP spoofing can also be used effectively as a Denial of Service (DoS) attack. By using ARP replies to flood the network with non-existent MAC addresses, host caches on the subnet are filled with garbage ARP entries that cause packets to be dropped. Session hijacking which allows an intruder, or attacking host, to take control of a connection between two computers can also be achieved using ARP and MAC spoofing similar to MIM attacks.
The risks poised by ARP spoofing attacks have been recognized, and currently there is a widely adopted software application called Arpwatch which is used to spot malicious ARP activity. Arpwatch is used by system administrators to detect changes in host IP addresses and ethernet addresses (MAC addresses). ARP watch listens for ARP requests which are broadcast and ARP reply packets which are sent on the ethernet (subnet) interfaces it is monitoring. For example, in the computer network 100 of FIG. 1, the device 114 could be computer, utilizing the Unix operating system, and running Arpwatch. The Unix computer 114 operates to listen to the ARP request and ARP reply traffic on the subnet 128, and to record changes made to IP address and MAC address pairs for hosts on the subnet. Arpwatch stores the MAC/ip address data in a file arp.dat, which should be empty before beginning to monitor activity.
Below is a sample output from arpwatch (version 2.0.1a1):
8:0:69:6:b2:b7129.99.34.4856807441buffett8:0:69:6:8c:6c129.99.34.7856810206peace8:0:69:a:6a:a129.99.34.13856810392heckler8:0:69:8:7e:39129.99.34.14856810397leo8:0:20:8:61:a2129.99.34.17856810390poppy8:0:69:8:7e:13129.99.34.18856810239win1128:0:69:9:1d:9e129.99.34.19856810235silk8:0:69:a:3f:7a129.99.34.43856810192nothing8:0:20:18:1e:e0129.99.34.44856810464vips8:0:69:9:b1:5a129.99.34.45856810205geckoThe first column lists the 6 hexadecimal digit ethernet address (MAC address) of a host. Column two contains the ip address. Column three holds a timestamp for the reporting made by the host for activity regarding the ip/ethernet addresses. Lastly, the hostname is reported in the fourth column. While system activity is logged to file arp.dat, any occurring changes are reported to root through e-mail messages.
One limitation with Arpwatch has been its ability to see all the ARP traffic on the subnet. It cannot be used for network wide monitoring due to ARP's inability to send ARP natively over Layer 3 networks. For example, as is known in the art, the ARP request and ARP replies on the subnet 128 would not be transmitted through the layer 3 router to the second subnet. Further, in certain circumstances, it is possible that depending on the configuration of the subnet, and the location of the hosts generating the ARP requests and ARP replies, the Arpwatch program running on 114 may not even see all ARP request and ARP replies on the first subnet. In order to overcome some of these limitations in Arpwatch, implementations of networks utilizing mirrored ports on uplinks, tagged VLANs, etc. have been developed to increase the amount of ARP request and ARP reply traffic, which can be observed by Arpwatch. However, each of these fixes has been found to have limitations and can be difficult to implement in some network configurations.